Mozilla Cloud non-Decryptable Download?

Message

miroR · Post by **miroR** » Thu Oct 29, 2015 6:22 pm

EDIT 2015-11-05 23:19+01:00:
the title now:
Mozilla Cloud non-Decryptable Download?

This topic contains the intrusive disruption of my topic by another Gentoo member, for which I am unable to continue, if this post, currently last, is not removed:

< this same topic >
https://forums.gentoo.org/viewtopic-t-1 ... ml#7837184

I hope this won't continue to be happening in other topics of mine.

I had wanted to try to contain the intrusive intentional ruining of my topic here:

Uninstalling dbus and *kits (to Unfacilitate Remote Seats)
https://forums.gentoo.org/viewtopic-t-9 ... ml#7837090

the reasons why there, and not here, is explained there clearly.

But to no avail. Yes I have reported the post. We'll see. (If the link to the intrusive post becomes dead, it has been removed.)
EDIT END
==== underneath here content unmodified, remains as of the first timestamp =====
Not sure at all what this will come out.

Code: Select all

993e1cf1d0305fa519c9941189221c01b974d3596de21615768e20a7e521eac4 some-file
73a1f52a202450bab08632362bb74d38f4b1cbd8b45f92cbaf2314eb225d406f some-other-file

I make make un unrelated post (planned previously) out of this.

However, if this is something interesting (just take a look at how interesting this topic of mine

SSL Decode & My Hard-Earned Advice for SPDY/HTTP2 in Firefox
https://forums.gentoo.org/viewtopic-t-1029408.html

appears to be; currently3498 views), it is important that the files don't be easily dismissed as unauthentic.

Patience, I kindly ask of readers.

khayyam · Post by **khayyam** » Thu Oct 29, 2015 6:43 pm

miroR wrote:However, if this is something interesting (just take a look at how interesting this topic of mine [...] appears to be; currently3498 views), it is important that the files don't be easily dismissed as unauthentic.

miro ... yes, and if you include a URL in every post you make (as you do) then crawlers will harvest those links, and so the views increase ... isn't technology amazing. Your posts, this one especially, are esencially nonsensical, and you seem to be under the impression that people are reading.

best ... khay

miroR · Post by **miroR** » Sat Oct 31, 2015 3:14 am

I'll now post what I had prepared previously.
---

I wrote wrote: ==== This is a completed content for the post of two days ago. Not touching that one. Nicer remains the timestamp. ===

Still not sure where this issue goes.
Code: Select all
993e1cf1d0305fa519c9941189221c01b974d3596de21615768e20a7e521eac4  dump_151029_1757_g0n.pcap
73a1f52a202450bab08632362bb74d38f4b1cbd8b45f92cbaf2314eb225d406f  Screen_151029_1757_g0n.mkv
No, I won't make un unrelated post out of this. What other topic I planned previously will go separately elsewhere.

These files are:
Code: Select all
-rw-r--r-- 1  86340324 2015-10-29 18:32 dump_151029_1757_g0n.pcap
-rw-r--r-- 1 176027816 2015-10-29 18:32 Screen_151029_1757_g0n.mkv
or:
Code: Select all
-rw-r--r-- 1  83M 2015-10-29 18:32 dump_151029_1757_g0n.pcap
-rw-r--r-- 1 168M 2015-10-29 18:32 Screen_151029_1757_g0n.mkv
and the priority is just the network capture. Screencast hopefully later, and maybe even in some other fashion (vimeo.com). No room on croatiafidelis.hr .

This topic follows on the heels of this other topic:

SSL Decode & My Hard-Earned Advice for SPDY/HTTP2 in Firefox
https://forums.gentoo.org/viewtopic-t-1029408.html

You can check all with the traffic dump in the dir:

http://www.croatiafidelis.hr/foss/cap/c ... -MozCloud/

Here's the straight link:

http://www.croatiafidelis.hr/foss/cap/c ... 7_g0n.pcap

tshark -n -q -r dump_151029_1757_g0n.pcap -z io,stat,0

Code: Select all

========================================
| IO Statistics                        |
|                                      |
| Duration: 1992.9 secs                |
| Interval: 1992.9 secs                |
|                                      |
| Col 1: Frames and bytes              |
|--------------------------------------|
|                  |1                  |
| Interval         | Frames |   Bytes  |
|--------------------------------------|
|    0.0 <> 1992.9 |  93301 | 83347395 |
========================================

tshark -q -r dump_151029_1757_g0n.pcap -z conv,ip
<but the resolved names in parentheses is of my addition> [*]

Code: Select all

================================================================================
IPv4 Conversations
Filter:<No Filter>
                                                                                                                                     |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |
                                                                                                                                     | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |
192.168.1.3                                       <-> 54.192.55.37(d3581xjroqhv5u.cloudfront.net)                                     47095  70986165   25543   1799129   72638  72785294    59.282923000       249.2311
192.168.1.3                                       <-> 91.198.174.192(METa.wikimedia.org)                                               1811   1394268    1850    208476    3661   1602744    14.401525000      1878.8822
192.168.1.3                                       <-> 91.198.174.208(upload.wikimedia.org)                                             1526   1557690    1405    146571    2931   1704261    14.644842000      1866.1800
192.168.1.3                                       <-> 67.215.92.219(www.opendns.com)                                                   1400   1984347     987     97464    2387   2081811    55.222555000        21.1789
192.168.1.3                                       <-> 104.87.7.204(e4478.a.akamaiedge.net)                                              872    983483     650     69023    1522   1052506  1296.578943000       237.2263
192.168.1.3                                       <-> 79.133.35.202(orsn.net)                                                           814   1116764     583     57255    1397   1174019  1912.621276000        61.3161
192.168.1.3                                       <-> 106.187.50.235(wiki.opennicproject.org)                                           401    206739     516     59582     917    266321   668.428752000       803.0666
192.168.1.3                                       <-> 173.239.79.210(observatory.eff.org)                                               282     89104     361    210384     643    299488    14.610474000      1932.7411
193.92.150.194(db.southeu.clamav.net)             <-> 192.168.1.3                                                                       301     20105     301    349522     602    369627  1971.778438000         7.9034
208.117.229.246(ytstatic.l.google.com)            <-> 192.168.1.3                                                                       262     30257     285    231203     547    261460  1294.235990000       118.1253
192.168.1.3                                       <-> 192.168.1.1                                                                       240     53976     241     19497     481     73473    14.347454000      1963.8573
193.198.233.211(pula.tile.openstreetmap.org)      <-> 192.168.1.3                                                                       224     24565     226    169922     450    194487  1915.340281000        60.6354
207.241.224.26(wwwb-front2.us.archive.org)        <-> 192.168.1.3                                                                       196     18105     202    200912     398    219017   717.542395000        70.5737
208.117.229.216(youtube-ui.l.google.com)          <-> 192.168.1.3                                                                       126     12249     132     82777     258     95026  1295.664277000       115.6899
199.16.156.120(syndication.twitter.com)           <-> 192.168.1.3                                                                       124     31324     130     33285     254     64609   918.258500000       605.8391
208.117.229.251(ytstatic.l.google.com)            <-> 192.168.1.3                                                                       128     14023     123     39553     251     53576  1294.711558000       116.6539
216.58.208.74(googleapis.l.google.com)            <-> 192.168.1.3                                                                        91      7973     111    114445     202    122418  1294.708016000       116.6989
192.168.1.3                                       <-> 104.87.23.15(e10776.b.akamaiedge.net)                                              99     31128      71      6842     170     37970    58.518070000       152.4074
192.168.1.3                                       <-> 104.92.100.137(e6640.g.akamaiedge.net)                                             87     92107      80      6348     167     98455    57.095759000       160.2028
192.168.1.3                                       <-> 104.244.43.44(PLAtfoRM.twitter.com)                                                68     32441      82      8598     150     41039   670.180128000       353.9075
192.168.1.3                                       <-> 104.244.43.108(PLAtfoRM.twitter.com)                                               61      8837      83      9090     144     17927   917.636938000        66.5593
192.168.1.3                                       <-> 23.37.43.27(e8218.ce.akamaiedge.net)                                               61     15537      68      7236     129     22773    66.944206000      1345.4188
192.168.1.3                                       <-> 173.194.113.183(csi.gstatic.com)                                                   56     21454      68      6900     124     28354  1300.186735000       116.1969
192.168.1.3                                       <-> 37.252.170.182(secure.anycast.adnxs.com)                                           67     16811      48      9668     115     26479    68.518336000        60.6243
208.117.229.212(youtube-ui.l.google.com)          <-> 192.168.1.3                                                                        55      5147      49     17320     104     22467    59.114340000       116.1468
199.16.156.52(syndication.twitter.com)            <-> 192.168.1.3                                                                        47      6807      53      9996     100     16803   670.701160000       286.1726
192.168.1.3                                       <-> 54.192.12.211(d15a7gkmxinlzq.cloudfront.net)                                       50     41019      48      4338      98     45357    58.493768000       116.7505
192.168.1.3                                       <-> 74.125.136.141(appspot.l.google.com)                                               50     49669      40      3897      90     53566  1294.714544000       117.6672
216.137.59.141(dnn506yrbagrg.cloudfront.net)      <-> 192.168.1.3                                                                        45      4512      41     26783      86     31295    59.223058000       116.0383
192.168.1.3                                       <-> 68.232.35.116(s11.gp1.wac.alphacdn.net)                                            50     31881      36      4050      86     35931    57.170370000       149.3047
216.58.211.4(wwW.google.com)                      <-> 192.168.1.3                                                                        44      5768      39      5230      83     10998    59.222866000      1354.1470
192.168.1.3                                       <-> 46.33.68.128(a1158.b.akamai.net)                                                   37      6404      44      3912      81     10316    58.829964000       116.2763
208.117.229.250(ytstatic.l.google.com)            <-> 192.168.1.3                                                                        39      3705      38     19415      77     23120  1298.278404000       116.0712
216.58.211.3(www.google.hr)                       <-> 192.168.1.3                                                                        40      4504      35     11993      75     16497    59.637909000       116.3867
208.117.229.213(youtube-ui.l.google.com)          <-> 192.168.1.3                                                                        37      3541      34     12194      71     15735  1297.353593000       115.9963
192.168.1.3                                       <-> 173.194.116.185(pagead46.l.doubleclick.net)                                        32     13151      39      4005      71     17156    58.501609000       115.7495
208.117.229.217(youtube-ui.l.google.com)          <-> 192.168.1.3                                                                        37      3618      33     11125      70     14743  1291.738397000       117.6083
192.168.1.3                                       <-> 54.246.123.254(data-collector-linkedin-prod-803114458.eu-west-1.elb.amazonaws.)    31     15502      39      4164      70     19666    65.741151000        65.5876
192.168.1.3                                       <-> 104.244.43.172(platform.twitter.com)                                               30      6242      39      4237      69     10479  1223.068003000       189.3098
192.168.1.3                                       <-> 173.194.116.220(dart.l.doubleclick.net)                                            30     12906      39      3813      69     16719    58.496705000       116.7201
216.58.209.168(www-googletagmanager.l.google.com) <-> 192.168.1.3                                                                        37      3185      32     22797      69     25982    58.465698000       115.6854
192.168.1.3                                       <-> 185.63.147.10(any-eu.www.linkedin.com)                                             32      9541      36      3837      68     13378    69.327707000       116.8225
216.58.211.35(www.google.hr)                      <-> 192.168.1.3                                                                        35      3683      27      9934      62     13617  1298.187182000       116.1833
192.168.1.3                                       <-> 173.194.112.250(pagead.l.doubleclick.net)                                          27     10512      35      3826      62     14338  1296.363420000       116.0318
192.168.1.3                                       <-> 50.31.164.174(bam.nr-data.net)                                                     29      7729      33      4193      62     11922    66.302954000       116.9269
208.117.229.218(youtube-ui.l.google.com)          <-> 192.168.1.3                                                                        32      3924      28      4920      60      8844  1296.574470000        61.8602
192.168.1.3                                       <-> 54.246.108.37(fanboy-web-linkedin-prod-935158116.eu-west-1.elb.amazonaws.com)      31     14062      28      2895      59     16957    70.308618000        61.7705
192.168.1.3                                       <-> 54.228.244.241(data-collector-linkedin-prod-803114458.eu-west-1.elb.amazonaws.)    31     14445      28      3022      59     17467    67.928440000        61.3584
208.117.229.249(ytstatic.l.google.com)            <-> 192.168.1.3                                                                        30      4209      29      5726      59      9935    57.281102000        63.3404
192.168.1.3                                       <-> 46.137.124.98(www.bizographics.com)                                                30     13494      28      2991      58     16485    67.281565000        61.6806
192.168.1.3                                       <-> 173.194.112.89(pagead.l.doubleclick.net)                                           27     12060      29      2653      56     14713    57.106885000       116.1459
192.168.1.3                                       <-> 74.125.136.95(googleadapis.l.google.com)                                           26      3409      29      3620      55      7029  1294.706363000       115.6756
192.168.1.3                                       <-> 173.194.116.218(pagead46.l.doubleclick.net)                                        21      6160      24      3752      45      9912   529.405475000       115.8264
192.168.1.3                                       <-> 185.31.17.175(c.global-ssl.fastly.net)                                             22     16026      21      2065      43     18091    65.716976000        61.7831
192.168.1.3                                       <-> 173.194.113.90(pagead46.l.doubleclick.net)                                         18      2394      21      2879      39      5273  1296.801580000       115.5870
192.168.1.3                                       <-> 66.228.63.70(www.opennicproject.org)                                               30      7113       9       636      39      7749  1229.968277000        99.7276
192.168.1.3                                       <-> 104.244.43.12(platform.twitter.com)                                                16      4992      23      1935      39      6927   789.216954000       439.4942
127.0.0.1                                         <-> 127.0.0.1                                                                          36      3732       0         0      36      3732  1984.204172000         8.6515
192.168.1.3                                       <-> 17.171.8.16(ocsp.pki-apple.com.akadns.net)                                         16      4580      19      1526      35      6106  1292.914909000       115.5835
192.168.1.3                                       <-> 46.33.68.72(a1158.b.akamai.net)                                                    16      3024      18      1676      34      4700    57.228615000       115.8789
192.168.1.3                                       <-> 93.184.220.29(cs9.wac.phicdn.net)                                                  10      3060      14      2261      24      5321    56.073400000        26.2459
193.63.75.103(www.openstreetmap.org)              <-> 192.168.1.3                                                                        13      1619      10      6299      23      7918  1913.250907000         6.6914
192.168.1.3                                       <-> 67.215.92.210(dashboard.opendns.com)                                               11      5765      12      1582      23      7347    58.906764000        11.1855
199.16.156.230(twitter.com)                       <-> 192.168.1.3                                                                        10      1018      12      4357      22      5375  1290.983939000         7.1214
205.178.187.13(www.networksolutions.com)          <-> 192.168.1.3                                                                        12       840       9       636      21      1476   707.301071000        20.6142
192.168.1.3                                       <-> 188.40.2.4(osmtools.de)                                                             9      1652      11       970      20      2622  1915.225345000        15.1181
192.168.1.3                                       <-> 17.146.233.10(files.me.com)                                                         9      3436      10      1501      19      4937  1292.427851000         4.1550
199.16.156.6(twitter.com)                         <-> 192.168.1.3                                                                        10      1018       9      4091      19      5109   926.159799000         5.6840
207.241.226.249(vlcbackup.archive.org)            <-> 192.168.1.3                                                                        10      1203       8       880      18      2083   723.208901000         5.7509
224.0.0.1                                         <-> 10.16.96.1                                                                         15       930       0         0      15       930   114.177572000      1750.0431
207.241.224.2(archive.org)                        <-> 192.168.1.3                                                                         4       280       2       144       6       424   741.173875000         5.4068
255.255.255.255                                   <-> 0.0.0.0                                                                             2       818       0         0       2       818     0.027432000         3.3679
255.255.255.255                                   <-> 192.168.1.1                                                                         1       592       0         0       1       592     3.417719000         0.0000
================================================================================

The issue with this capture is not too hard to see for a trained eye. A huge portion of the entire capture of 83M, which is a huge traffic for simply browsing which I did for those 33 minutes, without downloading any video or another file of that order of magnitude, a huge portion is here:

grep cloudfro dump_151029_1757_g0n.conv-ip-with-names
<and the legend (the first two lines) is of my addition>

Code: Select all

                                                                                                                                     |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |
                                                                                                                                     | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |
192.168.1.3                                       <-> 54.192.55.37(d3581xjroqhv5u.cloudfront.net)                                     47095  70986165   25543   1799129   72638  72785294    59.282923000       249.2311
192.168.1.3                                       <-> 54.192.12.211(d15a7gkmxinlzq.cloudfront.net)                                       50     41019      48      4338      98     45357    58.493768000       116.7505
216.137.59.141(dnn506yrbagrg.cloudfront.net)      <-> 192.168.1.3                                                                        45      4512      41     26783      86     31295    59.223058000       116.0383

and it is especially obvious that the one conversation of all, with the 54.192.55.37(d3581xjroqhv5u.cloudfront.net), downloaded into my system a little short of 70M (the 47095 Frames or 70986165 Bytes, under "<-" ), and so it has made for the great great majority of the traffic.

Maybe that is the regular way Firefox updates. It really may be.

But if it is the regular way Fox updates, then it ought to be in the open, for me, a user of Mozilla Firefox, a program that is Free Open Source Software, at least as it is claimed to be such but its developers (and I still hope they do keep to some standards, at least a significant part of its community).

I'll try and see if I can manage to get the TCP or SSL streams in the open, and see what exactly Mozilla downloaded into my system, and then I can, hopefully, find it in my system, and get an inkling at least, what it does, or is, there for.

Next.

---
[*] Compare with the output of:
thark -q -r dump_151029_1757_g0n.pcap -z hosts

miroR · Post by **miroR** » Sat Oct 31, 2015 3:15 am

Then it ought to be in the open. For me. Encrypted with PFS (Perfect Forward Secrecy), so no one can snoop on it, but if I cared to store and keep the "CLIENT_RANDOM" keys in my $SSLKEYLOGFILE (or in some other fashion), then it must be open for me to see what Mozilla from its cloud downloaded into my system, if that was the case, as it looks to me.

The filter is: "ip.addr==54.192.55.37" (without quotes).

Or maybe better: "(ip.addr==54.192.55.37) || (ip.addr==54.192.12.211) || (ip.addr==216.137.59.141)" (without quotes), but pls. note that I'm guessing only...

I'll take this latest.

I entered (pasted) that string in the Wireshark filter, hit Enter to get that filtered display active, and then File > "Export Specified Packets". "Packet Range" is "All Packets", the "Displayed" is selected already, and I saved it as:

dump_151029_1757_g0n_MozCloud.pcap

If you, by doing the same, get:

Code: Select all

-rw-r--r-- 1 miro miro  75195628 2015-10-30 16:45 dump_151029_1757_g0n_MozCloud.pcap

which is in human readable (the '-h' switch)

Code: Select all

-rw-r--r-- 1 miro miro  72M 2015-10-30 16:45 dump_151029_1757_g0n_MozCloud.pcap

then probably my suggestions can be followed (and if you're into network capture, maybe you can tell all of us more; there will be encryption that I'm afraid I can not decrypt, later; perfectly possible only because my knowledge is insufficient, but also that not all tools are there for decryption, even if I were expert)...

I now open that dump with those just exported specified packets selection in Wireshark.

Now at least we are dealing with only 7 tcp streams, while in the complete dump, there were 472 tcp streams

( you get streams out if you put [0-7] for $the_number in "tcp.stream eq $he_number" in the filter for that MozClould.pcap dump (and you get nothing if you put 8 or greater; and in the complete dump, you get a different tcp stream if you put [0-472] in "tcp.stream eq $the_number", such as "tcp.stream eq 3" or "tcp.stream eq 405", respectively )

.

But can these streams be decrypted? And if, how?

miroR · Post by **miroR** » Sat Oct 31, 2015 3:17 am

I'll try and cut to the chase. Because I'm beginning to be in a hurry. I need Fox as I have to use internet banking for my monthly paying of my bills, and I have only in Fox some trust lingering, from among the javascipt enabled browsers that I could do those payments with.

But my not being able to decrypt the huge payload (we are just about coming to it next), is making me worry, and either I go and pay my bills at the counter instead of via the internet banking, or...

We still have dump_151029_1757_g0n_MozCloud.pcap open in Wireshark.

Enter the filter "tcp.stream eq 5" (without quotes).

Right click on any frame with TLS1.2, follow SSL stream, and save as:

dump_151029_1757_g0n_MozCloud_s5-ssl.dump

You should get:

Code: Select all

$ ls -l  dump_151029_1757_g0n_MozCloud_s5-ssl.dump 
-rw-r--r-- 1 miro miro 136352 2015-10-30 22:30 dump_151029_1757_g0n_MozCloud_s5-ssl.dump
$ ls -lh  dump_151029_1757_g0n_MozCloud_s5-ssl.dump 
-rw-r--r-- 1 miro miro 134K 2015-10-30 22:30 dump_151029_1757_g0n_MozCloud_s5-ssl.dump

Can't delve into it, in a hurry for reason stated above, but it's some tiny adobe managed video, in some likelihood, but it's partial content, I think I saw somewhere when following it (just open it with:

Code: Select all

$ hexedit dump_151029_1757_g0n_MozCloud_s5-ssl.dump

)

But it's this next stream... Do the same right click as before, but choose "Follow tcp stream" instead. And be patient. It's there, we have arrived at where the story might start to become interesting.

Be patient (unless you have a really powerful computor). Do save it as:

dump_151029_1757_g0n_MozCloud_s5.dump

but all those megabytes need a little time to reassemble from those some 40000 different frames (packets).

You should have this eventually:

Code: Select all

$ ls -l  dump_151029_1757_g0n_MozCloud_s5.dump 
-rw-r--r-- 1 miro miro 67764933 2015-10-30 22:41 dump_151029_1757_g0n_MozCloud_s5.dump
$ ls -lh  dump_151029_1757_g0n_MozCloud_s5.dump 
-rw-r--r-- 1 miro miro 65M 2015-10-30 22:41 dump_151029_1757_g0n_MozCloud_s5.dump
$

And here my insufficient knowledge, or encryped content (coming at it in a moment), makes me unable to view what those 65M contain.

Get ready to follow by studying "man hexedit" (emerge hexedit it you haven't yet).

Code: Select all

$ hexedit dump_151029_1757_g0n_MozCloud_s5.dump

Next, search for, in hex, string "474554" (without quotes), which is the string that GET'd content starts with, and take notice how many you find. They should be three (3) only.

Stay with the third 474554 that you found. Mark it. go to end. Copy.

You'll get a jocular warning ( my install is:

Code: Select all

 # equery l hexedit
 * Searching for hexedit ...
[IP-] [  ] app-editors/hexedit-1.2.13:0
#

):

Code: Select all

       Hey, don't you think that's too big?!
	          Really copy (Yes/No)

Enjoy the joke, answer "y" and paste it into a file:

dump_151029_1757_g0n_MozCloud_s5_03.dump

Move again to the start of the third GET and truncate at that point.

Go to beginning, and from there get one, and another time to the start of GET. So you are at the second GET.

Just like before, mark, move to end, copy and paste into a file:

dump_151029_1757_g0n_MozCloud_s5_02.dump

To beginning, and move to the second GET, and truncate there.

Go to beginning, and from there go to the start of the last GET. Mark, move to end, copy and paste into a file:

dump_151029_1757_g0n_MozCloud_s5_01.dump

You should now have:

Code: Select all

$ ls -l dump_151029_1757_g0n_MozCloud_s5_0?.dump
-rw-r--r-- 1 miro miro  1484476 2015-10-30 23:36 dump_151029_1757_g0n_MozCloud_s5_01.dump
-rw-r--r-- 1 miro miro 13834287 2015-10-30 23:36 dump_151029_1757_g0n_MozCloud_s5_02.dump
-rw-r--r-- 1 miro miro 37479495 2015-10-30 23:35 dump_151029_1757_g0n_MozCloud_s5_03.dump
$ ls -lh dump_151029_1757_g0n_MozCloud_s5_0?.dump
-rw-r--r-- 1 miro miro 1.5M 2015-10-30 23:36 dump_151029_1757_g0n_MozCloud_s5_01.dump
-rw-r--r-- 1 miro miro  14M 2015-10-30 23:36 dump_151029_1757_g0n_MozCloud_s5_02.dump
-rw-r--r-- 1 miro miro  36M 2015-10-30 23:35 dump_151029_1757_g0n_MozCloud_s5_03.dump
$

Now, let's go get the gzip data, if we can:

Code: Select all

$ hexedit dump_151029_1757_g0n_MozCloud_s5_03.dump

Search, in hex, for "1F8B08" (without quotes). Only one found. Mark. Move to end. Copy. Paste into file:

dump_151029_1757_g0n_MozCloud_s5_03.gz

And here we go, where I have no idea how to get what that data is:

Code: Select all

$ file dump_151029_1757_g0n_MozCloud_s5_03.gz
dump_151029_1757_g0n_MozCloud_s5_03.gz: gzip compressed data, ASCII, extra field, encrypted
$

Do you see these unusual info the file command is telling us?

And sure, if I try:

Code: Select all

$ gunzip dump_151029_1757_g0n_MozCloud_s5_03.gz
gzip: dump_151029_1757_g0n_MozCloud_s5_03.gz is encrypted -- not supported
$

And it's similar, if I process 02.dump like that, with:

Code: Select all

$ file dump_151029_1757_g0n_MozCloud_s5_02.gz 
dump_151029_1757_g0n_MozCloud_s5_02.gz: gzip compressed data, has CRC, extra field, has comment, encrypted, last modified: Sun Oct 19 05:36:28 2003
$ gunzip dump_151029_1757_g0n_MozCloud_s5_02.gz 
gzip: dump_151029_1757_g0n_MozCloud_s5_02.gz is encrypted -- not supported
$

I'm not saying this isn't legitimate, as I don't know that it isn't.

Nor that it is legitimate.

I'm not so very bright, but neither stupid. I think I'll try and ask about this Mozilla devs, on their mailing list or some such place, or on Wireshark mailing list.

And in the meantime, I can't use Fox for internet banking, and the money that I need to pay, as every month, is due for payment...

Either I go to the bank or post office and pay over the counter (but what then do I have computers for?), or...

Regards!

EDIT 2015-11-01 21:06+01:00. corrected lapsus: 's/1F8B08/474554/'

miroR · Post by **miroR** » Sat Oct 31, 2015 3:28 am

title will be:

Mozilla Cloud non-Decryptable Download?
================
(will change it later)
---

I owe you this one, readers, if there are any (maybe you better not read, or some will get upset if you do...)

I owe you this one, gentle readers:

I wrote:Either I go to the bank or post office and pay over the counter (but what then do I have computers for?), or...

Or...? Or what? lingers the question.

Well, what for did I figured out, for myself and for other people, how to install gentoo air-gapped:

Air-Gapped Gentoo Install, Tentative
https://forums.gentoo.org/viewtopic-t-987268.html

?

And why do I try to spread some good methods of backup (would have been better if I had time to make a separate tip for it, true):

Postfix smtp/TLS, Bkp/Cloning Mthd, Censorship/Intrusion
https://forums.gentoo.org/viewtopic-t-9 ... ml#7613044

?

Surely I wiped the hard disk clean with the Air-Gapped complete system backup, with the Air-Gapped that could not have any intrusions on it... By cloning the air-gapped master system onto this one... But all these methods are explained in the respective links just given.

And if this matter shows to be nothing to worry about, well, then it need to be possible to get the content of those downloads in the open. Without becoming a rocket scientist to be able to do it...

If Zilla is really FOSS (...hope lingering).

No one is allowed to encrypt things in my computer, behind my back, not even Mozilla (if that was really its cloud downloading in my machine).

And neither should behind your back, gentle readers.

And surely, I'm back to using Dillo. Such a fine worry-free experience. I dream good FOSS people will help the Dillo devs to make Dillo much much better, more complete, and competing with the commercial big browsers...

Back to the issue. Anyone knows how to decrypt those?

Can you help us (It is likely that other users will have issues like this)?

Because it might take me longish to figure this out....

(If I do, I'll tell all of you!)

Regards!

miroR · Post by **miroR** » Sat Oct 31, 2015 3:53 am

Ah, and I forgot.

The entire snapshot of the system, with that download in it, is saved, and will be available for weeks, maybe even months from now.

With the backup/cloning method that I linked to in the previous post.

So no information, if there some real expert happens to want to look into this, has been lost.

Good night!

miroR · Post by **miroR** » Sun Nov 01, 2015 1:03 pm

I can not believe I had forgotten to post the SSLKEYLOGFILE-151029.log....

It is there now.

No, that wouldn't decrypt the Moz Cloud download, no. But that decrypts everything else.

Anyway, I updated the:

http://www.croatiafidelis.hr/foss/cap/c ... -MozCloud/

and you can get the files by downloading just the dLo.sh, and 'chmod 755' to it, then into an empty new dir where you have privs, and ./dLo.sh to get all the files. I am now also uploading the Screen_151029_1757_g0n.mkv, but I'm afraid I won't have that much room left on my NGO's website...

And I mailed to Mozilla dev-security mailing list:

Mozilla Cloud non-Decryptable Download?

Code: Select all

https://groups.google.com/forum/#!topic/mozilla.dev.security/abSHPU4EaP8

the link above is for pasting into your browser's address bar, because, like this:

https://groups.google.com/forum/#!topic ... bSHPU4EaP8

the '/#!' seems to erroneously end the reading of the address for phpBB...

EDIT 2015-11-01 20:42+01:00:
Ah, managed to get the address, it's the Schmoog's way, nobody else's:

https://groups.google.com/d/msg/mozilla ... 5UMFJsCAAJ

(such as, it don't let me view it with Dillo, the shingilibindildiyots!)
EDIT END

(
Anyway, only the Schmoog, really, could come up with such a standard for http addresses. The Schmoog rapist of the standards, like with the SPDY and the HTTP2, which you can read about in the topic which this one you're reading follows on the heels of; but I must not give you the link, as that would surge the views of it, and some people would get upset... Find the link in the first post...

Which first post of this topic will be expanded with some more necessary details only when no shadow of doubt is left as to authenticity of the event of the apparent Moz cloud autodownload into my machine, non-decryptable for me, the user, having happened when I claim, by the virtue of the traffic dump and the screencast being verifiable to have been taken when I posted that first post in this topic)

Which first post of this topic will be expanded with some more necessary details when more views, by different viewers, dispell any shadow of doubt in the authenticity of the traffic dump and screencast.

And only then can I also change the title of this topic to "Mozilla Cloud non-Decryptable Download?"
)

Regarding my post to Mozilla dev-security ML, let's see if I get any info back...

miroR · Post by **miroR** » Sun Nov 01, 2015 2:16 pm

All is in the:
http://www.croatiafidelis.hr/foss/cap/c ... -MozCloud/

and I checked it by downloading it. Sums are right, and digitally verified with my PGP signature...

miroR · Post by **miroR** » Sun Nov 01, 2015 8:19 pm

I'm not letting go of this. I'll try and ask on Wireshark ML, if I don't get any replies from Moziila devs. I mean any real replies...

The last reply, so far, is so general, and so dry... So hitting-oneself-in-the-mind's-eyes and beating-ones-brain to churn out a dry-kind empty reply... that it makes me sad.

Looks like really this is some abuse attempted on my machine, from Mozilla Cloud addresses.

But... Before I change the title; which is not yet, too few views, at which time I can take the opportunity to say it more forcefully, right there upfront and very clearly in the first post...

Which I can not edit, the first post, yet, because of the shintilibidintitty "advice" there posing like a thought exudision...

Before that, I am advising readers who wish to understand what this is about, that they need to study the link given upfront, else they can not figure this issue here at all...

Again, get familiar with this:

SSL Decode & My Hard-Earned Advice for SPDY/HTTP2 in Firefox
https://forums.gentoo.org/viewtopic-t-1029408.html

else you can not understand here.

miroR · Post by **miroR** » Sun Nov 01, 2015 9:08 pm

There could be the solution on the way, and the autodownload couldl be legitimate.

I got a kind reply by Andrew Sutherland:

https://groups.google.com/d/msg/mozilla ... itJEGICAAJ

More work for me... as usual, at turtle-speed.

Regards!

khayyam · Post by **khayyam** » Wed Nov 04, 2015 7:52 pm

miroR wrote:Over in a new topic of mine:

Mozilla Cloud non-Decryptable Download?

(which I can not change the subject of the topic into the one above yet, for reasons easily understood if you read there)

I had posted this:
I recently wrote:Not sure at all what this will come out.
Code: Select all
993e1cf1d0305fa519c9941189221c01b974d3596de21615768e20a7e521eac4 some-file
73a1f52a202450bab08632362bb74d38f4b1cbd8b45f92cbaf2314eb225d406f some-other-file
I make make un unrelated post (planned previously) out of this.

However, if this is something interesting (just take a look at how interesting this topic of mine

SSL Decode & My Hard-Earned Advice for SPDY/HTTP2 in Firefox
https://forums.gentoo.org/viewtopic-t-1029408.html

appears to be; currently3498 views), it is important that the files don't be easily dismissed as unauthentic.

Patience, I kindly ask of readers.
==========

and before you know it, there was this reply:

khayyam wrote:
miroR wrote:However, if this is something interesting (just take a look at how interesting this topic of mine [...] appears to be; currently3498 views), it is important that the files don't be easily dismissed as unauthentic.
miro ... yes, and if you include a URL in every post you make (as you do) then crawlers will harvest those links, and so the views increase ... isn't technology amazing. Your posts, this one especially, are esencially nonsensical, and you seem to be under the impression that people are reading.

best ... khay
Now, since I do not want to disturb that topic... It has been sufficiently disturbed by that khayyam's remark, and since I am a little sick of such topic-pooping, I want to post a few words about it here, not there.

Because this topic (the "Uninstalling dbus and *kits (to Unfacilitate Remote Seats)" is over, technically.

It is technically over, this topic. There is little technical to add about it, other than start a new topic.

But that one is NOT.

But I will write a few more words about it, when I find tine... Because on top of the fact that I work at turtle-speed even at my best, I've also been working at only 10-20% effectiveness, and that only when I managed to get out of bed. Just allergy, but a very very disruptive one...

I'll try and explain why exactly here, I want to post. But it is in brief: this khayyam guy just can't get over our little clash that we had here, and to understand why he decided to try and poop out that new topic of mine, it is necessary to remember what happened here btwn me and him.

Just go back to my, I think, second previous post of mine in the third (first previous) page of this topic:

<this same topic>
https://forums.gentoo.org/viewtopic-t-9 ... ml#7661780

miro ... more nonsense, its not like everyone (steveL, krinn, and many others) haven't said the exact same thing, so, no, I'm certainly "over" it (whatever that "it" happens to be in your imagination). If you have a problem with the post, or my previous posts, then use the 'report' button.

best ... khay

miroR · Post by **miroR** » Wed Mar 30, 2016 2:26 pm

khayyam wrote:
miroR wrote:However, if this is something interesting (just take a look at how interesting this topic of mine [...] appears to be; currently3498 views), it is important that the files don't be easily dismissed as unauthentic.
miro ... yes, and if you include a URL in every post you make (as you do) then crawlers will harvest those links, and so the views increase ... isn't technology amazing. Your posts, this one especially, are esencially nonsensical, and you seem to be under the impression that people are reading.

best ... khay

Just, that topic of mine:

SSL Decode & My Hard-Earned Advice for SPDY/HTTP2 in Firefox
https://forums.gentoo.org/viewtopic-t-1029408.html

is now:

8726

views.

Ant P. · Post by **Ant P.** » Wed Mar 30, 2016 2:44 pm

Eight thousand views from Googlebot, your best friend!

khayyam · Post by **khayyam** » Wed Mar 30, 2016 3:21 pm

miroR wrote:Just, that topic of mine is now: 8726 views.

... shall I explain again how 'views' are calculated, and how meaningless they are as a metric for quality?

Akkara · Post by **Akkara** » Wed Mar 30, 2016 7:02 pm

miroR wrote:Just, that topic of mine:

SSL Decode & My Hard-Earned Advice for SPDY/HTTP2 in Firefox
https://forums.gentoo.org/viewtopic-t-1029408.html

is now:

8726

views.

miroR: Please stop bumping this. A good half those views are from myself and other moderators wondering what to do with it. They are NO indication whatsoever of the quality (or lack thereof) of the topic. And by you posting here, this thread's count wil go up by a few 100 as I, others, and a myriad of Google/Bing/Alibaba/etc bots all come around to see what's new and index it all. And, by my posting this, the count here will go by a bunch more. Did you know that if you view your own thread, the count goes up? Wheee! let's play the game, can we make it to 9000?

You [topic=1041598]have been warned[/topic].

Locked.

Mozilla Cloud non-Decryptable Download?

Mozilla Cloud non-Decryptable Download?

Re: Some issue with network

Re: Some issue with network

Re: Some issue with network